W3C home > Mailing lists > Public > public-webappsec@w3.org > October 2014

Re: [CSP] Inconsistency between Source hash introduction and Source hash usage

From: Keiji Takeda <keiji@sfc.keio.ac.jp>
Date: Tue, 28 Oct 2014 04:08:51 +0900
Message-ID: <544E9843.1050402@sfc.keio.ac.jp>
To: Mike West <mkwst@google.com>, Yagihashi Yu <yagihash@sfc.wide.ad.jp>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Mike,

Period('.') is missing...

 > 'Hello, world'

should be

 > 'Hello, world.'

Keiji Takeda

(2014/10/28 2:25), Mike West wrote:
> You're right that the spec is incorrect. That said, my results don't
> match yours. :)
>
> mini [18:24] ~ $ echo -n "alert('Hello, world');" | openssl dgst -sha256
> -binary | openssl enc -base64
> b+jOy0DlwBaNGMxhuGypbGgvtY9mVoy1LlMALqJWsoY=
>
> How did you end up with 'qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng='?
>
> -mike
>
> --
> Mike West <mkwst@google.com <mailto:mkwst@google.com>>
> Google+: https://mkw.st/+, Twitter: @mikewest, Cell: +49 162 10 255 91
>
> Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany
> Registergericht und -nummer: Hamburg, HRB 86891
> Sitz der Gesellschaft: Hamburg
> Geschäftsführer: Graham Law, Christine Elizabeth Flores
> (Sorry; I'm legally required to add this exciting detail to emails. Bleh.)
>
> On Fri, Oct 24, 2014 at 4:52 PM, Yagihashi Yu <yagihash@sfc.wide.ad.jp
> <mailto:yagihash@sfc.wide.ad.jp>> wrote:
>
>     I noticed descriptions about source hash are inconsistent in CSP
>     Lv.2 Last Call Working Draft.
>     http://www.w3.org/TR/CSP11/
>     http://www.w3.org/TR/CSP2/
>
>     In 4.2.5, the draft says "Let actual be the base64 encoding of the
>     binary digest of element’s content using the algorithm algorithm.”,
>     however in 7.17.2, says "For example, the SHA-256 digest of
>     alert('Hello, world.'); is
>     YWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1ODJlYWJhNjU5MGU4NmZmNGU3OAo=.”.
>     The section 4.2.5 describe correctly according to the actual
>     implementation for Google Chrome.
>     The correct base64 encoded SHA-256 binary digest of alert(‘Hello,
>     world.’); is qznLcsROx4GACP2dm0UCKCzCG+HiZ1guq6ZZDob/Tng=.
>
>     It’s ovbious that the former is correct, and the latter is wrong
>     though, this mistake is sometimes misleading.
>     (It mislead me actually…)
>
>     /**
>       * Yu Yagihashi
>       * yagihash@sfc.wide.ad.jp <mailto:yagihash@sfc.wide.ad.jp>
>       */
>
>
Received on Wednesday, 29 October 2014 21:07:01 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:07 UTC